Not forwarding packets

meadensi · 02-08-2005, 07:02 PM

I have a linux laptop with two NICs which has worked as a firewall in the past. Now I’ve changed some settings (which were necessary) it no longer works. I’ve spent the whole day experimenting and so am forced to post. Ok, as much detail as possible…

Hardware: Toshiba Laptop 460CDT 32Mb Ram so no graphics only command-line
eth0: Belkin eth1:Netgear
Distro: Redhat 7.0

I am feeding a subnet off my brother’s home network and so can’t change some settings but his router to the Internet is 192.168.71.2

My machines were in the range of 192.168.144.201 to 192.168.144.206 but masqueraded into his network via the linux firewall with IP addresses 192.168.144.206 on my side and 192.168.71.198 on his. I have a selection of bash scripts which amend the ipchains configuration. Everything was fine.

1. Now, I want to run a web server and so cannot use NAT/IP masquerading anymore re Tsuji et al (2000) p. 176. It seems that we cannot hide the web server behind a masqueraded IP address.

2. So I decided to change my IP address range from 192.168.144.200/29 to 192.168.71/29 and now it doesn't work.

3. I have IP packeting forward set to true/yes/1 because I get
# cat /proc/sys/net/ipv4/ip_forward
1

4. My ipchains firewall is set to accept everything at the moment but obviously I will tighten it once I get some packets through.
# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

5. The configuration file for the first NIC seems ok....
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
IPADDR="192.168.71.198"
NETMASK="255.255.255.0"
ONBOOT="yes"
...other less relevant settings follow.

6. The configuration file for the second NIC ....
# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE="eth1"
IPADDR="192.168.71.206"
NETMASK="255.255.255.248"
ONBOOT="yes"
...other less relevant settings follow.

7. The overall network config file....
# cat /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME="toshiba.foo.bar"
DOMAINNAME="foo.bar"
GATEWAY="192.168.71.2"
GATEWAYDEV="eth0"
...other less relevant settings follow.

8. Rebooting the network ...
# /etc/rc.d/init.d/network restart
Shutting down interface eth0 [OK]
Shutting down interface eth1 [OK]
Disabling IPv4 packet forwarding [OK]
Setting network parameters [OK] Note it does not say "Enabling IPv4 packet forwarding" !!!!!!!!
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

8. Using ifconfig....
# ifconfig
eth0 Link encap:Ethernet HWAddr 00:30:BD:11:49:51
inet addr:192.168.71.198 Bcast:192.168.71.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59 errros:0 dropped:0 overruns:0 frame:0
TX packets:218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x300

eth1 Link encap:Ethernet HWAddr 00:09:5B:1C:DB:4E
inet addr:192.168.71.206 Bcast:192.168.71.207 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:765 errros:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0x340

lo Link encap:Local loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:95 errros:0 dropped:0 overruns:0 frame:0
TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

9. Checking my routing table I get
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.71.200 * 255.255.255.248 U 0 0 0 eth1
192.168.71.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.71.2 0.0.0.0 UG 0 0 0 eth0
I realise that some people may object to the overlap implied in this table but I think it should still work. After all, the table is sorted and scanning by Genmask and so if the laptop receives a packet destined for my little subnet 192.168.71.200/255.255.255.248 then it will match the top entry and pump it through to NIC eth1. Only if it fails the first line does it get to the second line and pump out through NIC eth0.
Besides I have tried reconfiguring the second line with an address of 192.168.71.0/255.255.255.128 which would eliminate the overlap to see if that helps but sadly no luck.

10. Some defined hostnames....
# cat /etc/hosts
127.0.0.1 toshiba localhost.localdomain localhost
192.168.71.198 belkin.toshiba.foo.bar belkin0
192.168.71.206 netgear1.toshiba.foo.bar
192.168.71.201 compaq.foo.bar

11. Other stuff probably not relevant...
# cat /etc/host.conf
order hosts, bind

12. So, from a windows box within my little subnet, compaq.foo.bar 192.168.71.201, I try pinging my brother's internet router
> ping 192.168.71.2
...Request timed out...
Fails

13. Again from the box in my subnet I see if I can reach the NIC in the laptop on my subnet's side ...
> ping 192.168.71.206
Reply from 192.168.71.206...
Success as you would expect.

14. Again from the box in my subnet I see if I can reach the NIC in the laptop on the far side ...
> ping 192.168.71.198
Reply from 192.168.71.206...
Success as I didn't expect. It manages to traverse the first NIC to the second NIC but never gets any further! Very strange in my humble opinion.

15. Repeating step 12 but this time running a sniffer
# tcpdump -n >dump
> ping 192.168.71.2
...Request timed out....
#cat dump
00:49:22 eth1 B arp who-has 192.168.71.2 tell 192.168.71.201
00:49:23 eth1 B arp who-has 192.168.71.2 tell 192.168.71.201
00:49:24 eth1 B arp who-has 192.168.71.2 tell 192.168.71.201
00:49:26 eth1 B arp who-has 192.168.71.2 tell 192.168.71.201

I think that's a pretty exhaustive report of the settings, do I get a prize?
Any help is prize enough people.

Regards,
Meadensi

Bibliography:
Setting Up a Linux Internet Server (2000) by Hidenori Tsuji & Takashi Watnabe (Coriolis).